simple port forwarding

Hello Waghelak,

You first have to go to Firewall > NAT and make a NAT rule where the original and destination matches how you want the traffic to be forwarded. Then you have to go to the main firewall policies and make a firewall rule for the end result of the NAT. So if you forward to an internal server, you will have to make a firewall rule from the original source (internet) then with the resulting services (if you changed it, use the changed service, otherwise use the original) and the resultant changed destination.

Hope that description helps.

Emile

It is very confusing:

1. Create a NAT, under Rules and policies. For example,
2. 
3. Create a Firewall rule to allow traffic from Any to WAN zone where destination network/host is the WAN ip address

Thanks, got it working.

Thanks Luk

It is very confusing indeed.

Hello Luk,

please check ( below ) the DNAT firewall rule and appropriate DNAT rule. Especially focus on the Destination Zone and the Destination Network in the firewall rule. The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN interface! It is very interesting interconnection of the Destination Zone and the Destination Network!

This is not me, but it is the result of business rule migration from v17.5 to v18 EAP1. But it really works. I learned something new again thanks to Sophos ...

However, it is important that the DNAT rule must be before the masquerading rule (MASQ) otherwise of course "matches" the User Portal. 

Regards

alda

[:(]

alda, 

this does not make sense. I guess it is a bug. The possible way that the DNAT should work are:

• Source zone: wan
• Source network: any or specific souce public ip
• destination zone: internal
• destination network: internal server where the service we want to publish is located

Another way could be:

• Source zone: any
• Source network: any or specific souce public ip
• destination zone: wan
• destination network: WAN port or alias

Anyway I liked the v17 wizard and WAF but it seems I am alone....

I'm with Luk.  Really liked the way v17 did this.  Probably more from getting familiar and changing my thought process to XG vs others.

Looking forward to seeing how this improves over the coming months.

Hello Luk and axsom1,

I agree with you, of course. That's why I wrote that I learned something new even though I mean it very sarcastically. I can't imagine how v18 EAP1 was tested when it works like that. LuCar Toni mentioned is some thread that he  tested/used v18 EAP1 for several weeks and nobody from Sophos has not seen these errors in the implementation? No one compare the original firewall rules with the resulting firewall rules after migration  when they developed it?

I can't explain it well enough. The v18 EAP1 is released in less than a week and "amateurs" like us find such implementation errors in a few days?

Regards

alda

I also very much preferred the unified single plane of glass, frankly it was one of the crowning features of the XG.

One page to rule them all, one page to find them and one page in the darkness, bind them.

Now we have ambiguity across a few pages now, if it were possible, I'd rebind everything with Natting back into the unified system but have the option to do separate global NATs as a side offering. I miss my BUNs (BAPs and UN rules) already.

Emile

Before this thread, I created a specific one:

Please post there so Sophos can collect feedbacks faster.

Thanks

I agree with you all.